Maplebear (CART) Risk Analysis

If one or more competitors or retailers were to merge, acquire, or partner with another competitor or retailer, the change in the competitive landscape could adversely affect our ability to compete effectively. Consolidation amongst major retail partners could impact contractual negotiations with such retail partners, result in lower utilization of our products, or lead ultimately to termination of existing retailer engagements. In addition, our competitors may also establish or strengthen cooperative relationships with current or future retailers, brands, and other parties with whom we have relationships, which could limit our ability to promote our offerings to those retailers and reduce our number of customers. As a result of these and future potential acquisitions or strategic partnerships, current and future retailers may begin working more closely, or on an exclusive basis, with other competitors with whom they have combined or otherwise established new relationships. Disruptions in our business caused by these events could adversely affect our business and results of operations.

The market acceptance of our offerings is critical to our continued success. Historically, consumers and retailers have been slower to adopt online grocery shopping than e-commerce offerings in other industries such as consumer electronics and apparel. Grocery is a complex market, and improving upon the traditional consumer in-store experience through an online platform or with connected shopping experiences is difficult due to broad consumer demands on selection, quality, affordability, and convenience. Grocery shopping habits and related consumer preferences are complex and diverse across and within geographies and across demographics and age groups. Changing traditional grocery shopping habits is difficult, and if consumers and retailers do not embrace the transition to online grocery shopping and connected shopping experiences as we expect, our business and operations could be harmed. The amount of influence we may have over these shopping habits and preferences, and the methods at our disposal to exercise such influence (including marketing and incentives), may be limited, and we are dependent on external influences over shopping habits and macroeconomic factors. In particular, shopping habits and preferences vary between younger and older consumers, consumers across different income groups, and among other demographic characteristics, and to be successful, we need to effectively increase market acceptance across all age, income, and other demographically different groups by increasing brand awareness and focusing marketing efforts on relevant habits and preferences. Moreover, even if more consumers begin to shop for groceries online, if we are unable to address their changing needs, or the evolving needs of retailers or brands, and anticipate or respond to market trends and new technologies in a timely and cost-efficient manner, we could experience decreased adoption, increased customer churn and lose the support of retailers and brands, any of which would adversely affect our business and results of operations. Demand for our offerings is also affected by a number of factors beyond our control, including macroeconomic conditions, initiatives by retailers to influence shopping behavior, continued market acceptance of our offerings, the timing of development and release of new offerings and features by us, the timing or manner of the adoption of our offerings by retailers and our competitors, changing consumer preferences, technological change, brand recognition, and growth or contraction in our markets. If we fail to achieve increased market acceptance of our offerings, our business could be seriously harmed.

We are not able to control or predict the actions of retailers, customers, brands, shoppers, and other third parties, either during their use of Instacart or otherwise, and we may be unable to protect or provide a safe environment for constituents on Instacart as a result of criminal, violent, inappropriate, or dangerous actions by any such parties. Such actions have historically resulted, and may in the future result, in injuries, property damage, or loss of life for retailers, customers, brands, shoppers, and other third parties, as applicable, or business interruption, brand and reputational damage, or significant liabilities for us. Certain events, including incidents of criminal behavior, episodes of civil unrest, or the imposition of curfews, may impact retailers, which in turn may impact the ability of shoppers to provide services to customers through Instacart. With respect to shoppers, although we administer certain qualification processes for shoppers on Instacart, including one or more general identification, criminal background, department of motor vehicle, and/or motor vehicle record checks on shoppers through third-party service providers prior to engagement, these qualification processes and background checks may not expose all potentially relevant information and are limited in certain jurisdictions according to national and local laws and availability of records. Moreover, our third-party service providers may fail to conduct such background checks adequately or disclose information that could be relevant to a determination of eligibility. We have in the past received, and we expect to continue to receive, complaints from retailers, customers, shoppers, and other third parties, as well as actual or threatened legal action against us related to shopper, customer, retailer, and other third party conduct. Public reporting or disclosure of reported safety information, including information about safety incidents reportedly occurring on or related to Instacart, whether generated by us or third parties, such as media or regulators, may adversely impact our business and financial results. If shoppers or individuals impersonating shoppers or customers engage in criminal activity, fraud, including identity theft, use of stolen or fraudulent credit card data, misconduct, breach of our terms of service, or inappropriate conduct or use Instacart as a conduit for criminal activity, or we fail to identify or detect, or experience delays in identifying or detecting such activity or events, or if we are prevented from deactivating such individuals or otherwise taking action to stop such activity, including as a result of regulations, our financial results may be negatively impacted, our offerings may not be viewed as safe, reliable, or appealing, and we may receive negative press coverage as a result. Such negative public perception of our offerings or brand would adversely impact our brand, reputation, and business. We have in the past experienced, and may experience in the future, inappropriate conduct and criminal activity by certain shoppers or other bad actors, including fraudulent uses of credit cards, manipulation or falsification of data related to shopper activity, social engineering attacks to gain access to customer and shopper accounts, as well as fraudulent use of our payment card programs. This conduct has in the past involved, and may in the future involve, coordinated and complex fraud schemes that are difficult to detect and prevent. Given their complexity, such schemes have in the past persisted, and future schemes may also persist, for lengthy periods prior to detection. As a result of these fraudulent schemes, we have in the past been, and may in the future be, liable for orders facilitated on Instacart with fraudulent credit card transactions, even if the associated financial institution approved the credit card transaction. In addition, even if we are not contractually required to do so, we have historically provided retailers with business concessions for related losses in certain cases and may provide additional concessions as a result of future schemes. These retailer concessions and any liability we otherwise face from such inappropriate or fraudulent conduct negatively impact our revenue and financial results. In addition, the process for quantifying the amount of financial losses from these fraudulent schemes may be lengthy, in part due to their complexity and, in cases where the fraudulent activity occurs through systems controlled by our partners, we may be unable to remediate or prevent this activity in a timely manner or at all due to limitations in, or our ability to, interact with such systems. As a result, the impact of such schemes on our financial results may continue into future periods or have higher impacts to our financial results than we anticipate, even following their termination. Our failure to adequately detect, address, or prevent fraudulent transactions could harm our reputation or brand, result in litigation or regulatory action, result in errors in our financial statements that could result in corrections to or restatements of our historical financial statements, cause delays in the preparation and filing of our periodic reports as well as failures to meet our reporting and other obligations as a public company, and lead to expenses that could adversely affect our business, financial condition, and results of operations. If other criminal, inappropriate, or other negative incidents occur due to the conduct of retailers, customers, brands, shoppers, or other third parties, our ability to attract retailers, customers, brands, and shoppers may be harmed, and our reputation, business, and financial results could be adversely affected. Further, we are regularly subject to claims of significant liability based on traffic accidents, deaths, injuries, or other incidents that are caused by shoppers, customers, or third parties while using Instacart, or even when shoppers, customers, or third parties are not actively using Instacart. On a smaller scale, we regularly face litigation related to claims by shoppers for the actions of customers or third parties. We carry insurance for such incidents, including automobile liability and general liability insurance, although such policies do not cover all claims to which we are exposed and are not always adequate to indemnify us for all liability. Although shoppers are required to carry their own insurance policies, including automobile insurance, they may fail to acquire adequate coverage or any coverage at all. As a result, we may be subject to liability for incidents involving shoppers that our insurance policies may not cover or the cost of our policies may increase. These incidents may subject us to liability and negative publicity, which would increase our operating costs and adversely affect our business, financial condition, results of operations, and future prospects. Even if these claims do not result in liability, we will incur significant costs in investigating and defending against them and may suffer reputational harm regardless of legal outcomes. As we expand our products and offerings, this insurance risk will grow.

We have in the past been, are currently in, and may in the future become subject to intellectual property disputes. Our success depends, in part, on our ability to develop and commercialize our offerings without infringing, misappropriating, or otherwise violating the intellectual property rights of third parties. However, we may not be aware that our offerings are infringing, misappropriating, or otherwise violating third-party intellectual property rights, and such third parties may bring claims alleging such infringement, misappropriation, or violation. For example, we rely on a combination of third-party intellectual property licenses and the fair use doctrine when we refer to third-party intellectual property, such as brand names and product images, on Instacart. Third parties may dispute the scope of those rights or the applicability of the fair-use doctrine or otherwise challenge our ability to reference their intellectual property in the course of our business. From time to time, we are contacted by companies controlling brands of products that are sold by retailers, demanding that we cease referencing those brands or take down product images on Instacart. Additionally, companies in the internet and technology industries, and other patent holders, including "non-practicing entities," seeking to profit from royalties in connection with grants of licenses or seeking to obtain injunctions, own large numbers of patents and other intellectual property and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights. To reduce the risk of adverse outcomes in intellectual property disputes, we may need to establish new intellectual property agreements or renew existing licenses. However, this strategy of cross-licensing our patent portfolio with third parties in order to settle infringement claims brought against us may not be appropriate in the future and is not effective against certain patent owners, such as non-practicing entities. Other parties have asserted, and in the future may assert, that we have infringed their intellectual property rights. Any claims of intellectual property infringement, even those without merit, could be time consuming and costly to defend, cause us to cease using or incorporating the asserted intellectual property rights, divert management's attention and resources, and expose us to other legal liabilities, such as indemnification obligations. We could be required to pay substantial damages or cease using intellectual property or technology that is deemed infringing or be required to enter into royalty or licensing agreements to obtain the right to use a third party's intellectual property. Any such royalty or licensing agreements may not be available to us on acceptable terms or at all. Additionally, a successful claim of infringement against us could result in us being required to pay significant damages or enter into costly license or royalty agreements, either of which could have an adverse impact on our business. The technology industry is characterized by the existence of a large number of patents, copyrights, trademarks, trade secrets, and other intellectual and proprietary rights. Companies in the technology industry are often required to defend against litigation claims based on allegations of infringement, misappropriation, or other violations of intellectual property rights. Our technologies may not be able to withstand any third-party claims against their use. In addition, some companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. Relative to certain of our competitors, we do not currently have a large patent portfolio, and our relative patent portfolio size may reduce the deterrence value of our portfolio against patent infringement claims brought by competitors or other entities with larger portfolios. Our competitors and others may now and in the future have significantly larger and more mature patent portfolios than we have. If a third party is able to obtain an injunction preventing us from accessing such third-party intellectual property rights, or if we cannot license or develop alternative technology for any potentially infringing aspect of our business, we could be forced to rebrand our offerings, limit, or stop sales of our offerings and technology capabilities, or cease business activities related to such intellectual property. Although we carry general liability insurance, our insurance may not cover potential claims of this type or may not be adequate to indemnify us for all liability that may be imposed. We cannot predict the outcome of lawsuits and cannot ensure that the results of any such actions will not have an adverse effect on our business, financial condition, or results of operations. Any intellectual property litigation to which we might become a party, or for which we are required to provide indemnification, may require us to do one or more of the following: - cease selling or using offerings that incorporate the intellectual property rights that we allegedly infringe, misappropriate, or violate;- make substantial payments for legal fees, settlement payments, or other costs or damages;- obtain a license, which may not be available on reasonable terms or at all, to sell or use the relevant technology; or - redesign the allegedly infringing offerings to avoid infringement, misappropriation, or violation, which could be costly, time-consuming, or impossible. Even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and results of operations. Moreover, there could be public announcements of the results of hearings, motions, or other interim proceedings or developments and if securities analysts or investors perceive these results to be negative, it could have a substantial adverse effect on the price of our common stock. We expect that the occurrence of infringement claims is likely to grow as the market for Instacart and our offerings grows. Accordingly, our exposure to damages resulting from infringement claims could increase, and this could further exhaust our financial and management resources.

We depend in part on mobile operating systems, such as Android and iOS, and their respective app marketplaces to make Instacart available to retailers, customers, brands, and shoppers. Any changes in such systems and app marketplaces that degrade the functionality of our apps or give preferential treatment to our competitors' apps could adversely affect Instacart's usage on mobile devices. If such mobile operating systems or app marketplaces limit or prohibit us from making our apps available to retailers, customers, brands, or shoppers, make changes that degrade the functionality of our apps, change the way we collect or use data, increase the cost of using our apps, impose terms of use unsatisfactory to us, alter how we collect fees, increase our compliance costs, impair or inhibit our ability to enter into partnerships or effectively market partnerships, or modify their search or ratings algorithms in ways that are detrimental to us, or if our competitors' placement in such mobile operating systems' app marketplace is more prominent than the placement of our apps, our growth could slow. Our apps have experienced fluctuations in placement in the past, and we anticipate similar fluctuations in the future. Additionally, we are subject to requirements imposed by app marketplaces such as those operated by Apple and Google, who have and may further change their technical requirements or policies in a manner that adversely impacts the way in which we collect, use and share data from users. For example, Apple requires mobile applications using its iOS mobile operating system to obtain a user's permission to track them or access their device's advertising identifier for certain purposes. The long-term impact of these and any other changes remains uncertain. If we do not comply with applicable requirements imposed by app marketplaces, we could lose access to the app marketplaces and users, and our business would be harmed. Any of the foregoing risks could adversely affect our business, financial condition, and results of operations. As new mobile devices and mobile platforms are released, there is no guarantee that certain mobile devices will continue to support our apps or that we can effectively roll out updates to our app. Additionally, in order to deliver high-quality apps, we need to ensure that Instacart is designed to work effectively with a range of mobile technologies, systems, networks, and standards. If retailers, customers, brands, or shoppers that utilize Instacart encounter any difficulty accessing or using our apps on their mobile devices or if we are unable to adapt to changes in popular mobile operating systems, we expect that our growth and engagement would be adversely affected.

As part of our normal business activities, we collect, use, store, share, transmit, and otherwise process sensitive, proprietary, and confidential information, including personal information of retailers, customers, brands, shoppers, employees, and others. We are subject to a variety of federal, state, local, and foreign privacy, data security, data protection,AI, machine learning, and automated decision-making laws, regulations, regulatory guidance, industry standards, contractual obligations, and codes of conduct, many of which have become increasingly stringent in recent years and are complex, constantly evolving, impose heavy compliance burdens, and may have conflicting requirements. New laws and regulations that apply to our business are being introduced at every level of government in the United States, as well as internationally which could further restrict certain uses of the personal information of retailers, customers, brands, shoppers, employees, and others. In the United States, there are numerous federal and state privacy and data security laws, rules, and regulations governing the collection, use, storage, sharing, transmission, and other processing of personal information, including federal and state privacy laws, data security laws, data breach notification laws, consumer protection laws, and other similar laws (e.g., wiretapping laws). For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 and the Telephone Consumer Protection Act of 1991 impose specific requirements on communications with customers. There are also a growing number of laws and regulations governing the use of AI, machine learning, and automated decision-making systems, which may increase the cost and complexity of operating our business. In addition, many state legislatures have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data, such as the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights has and may continue to impact our business and ability to provide our offerings. For example, the California Consumer Privacy Act applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. Some states also impose stricter requirements for processing certain categories of personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the Illinois Biometric Information Privacy Act regulates the collection, use, safeguarding, and storage of biometric information. These and other U.S. state privacy laws have and may continue to further complicate compliance efforts and increase our legal risk and compliance costs, including with respect to our marketing initiatives, Instacart Ads offerings, identity verification technologies, and AI offerings. We are also subject to certain health information privacy and security laws. A number of state legislatures have adopted legislation that regulates how businesses may use consumers' health data. For example, the Washington My Health My Data Act creates restrictions on the use of consumer health data for purposes such as marketing and advertising. As a result, our marketing initiatives and Instacart Ads and Instacart Health offerings could be further limited and we have incurred and expect to continue incurring additional compliance expenses. We are also subject to HIPAA as a result of the limited amount of health information that we receive in connection with baskets containing prescriptions and certain of our Instacart Health initiatives. We maintain a HIPAA compliance program, but it is not always possible to identify and deter misuse by our employees, contractors, and other third parties, and the precautions we take to detect and prevent noncompliance may not be effective in preventing all misuse, breaches, or violations. Violations of HIPAA may result in significant administrative, civil, and criminal penalties. State attorneys general also have the right to prosecute HIPAA violations committed against residents of their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for a HIPAA violation, its standards have been used as the basis for the duty of care in state civil suits, such as those for negligence or recklessness in misusing personal information. Many states in which we operate and in which our customers reside also have laws that protect the privacy and security of health information, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. Failure to comply with such state laws may also subject us to significant penalties. Some U.S. states and the FTC have also adopted privacy laws or issued guidance limiting the collection and use of certain health information that may extend to our customers' interactions with certain over-the-counter health products. As we continue to expand internationally, our efforts to comply with applicable foreign privacy laws may increase the costs and complexity of operating our business. In Canada, the Personal Information Protection and Electronic Documents Act and various provincial laws require that companies give detailed privacy notices to consumers, obtain consent to use personal information, with limited exceptions, allow individuals to access and correct their personal information, and report certain data breaches. In addition, Canada's Anti-Spam Legislation prohibits email marketing without the recipient's consent, with limited exceptions. Failure to comply with these or provincial privacy or data protection laws could result in significant fines and penalties or possible damage awards. The Canadian province of Quebec also passed a comprehensive privacy law that grants individuals extensive rights with respect to their personal information, including the right to consent to certain marketing and advertising practices. In addition, certain of our subsidiaries have immaterial operations in China, Australia, and Mexico and are subject to local laws that impose a number of requirements on our processing and handling of personal information and direct marketing activities that may increase our compliance costs and risk of facing regulatory enforcement action. Certain of our subsidiaries are subject to the United Kingdom General Data Protection Regulation ("UK GDPR"), the European Union's General Data Protection Regulation ("GDPR"), the European Union's Artificial Intelligence Act, and various Member State laws and regulations governing data protection and AI. Further expansion of our business, operations, or service offerings to the European Economic Area ("EEA"), will increase our exposure to data protection laws in the region, including the GDPR. The GDPR and UK GDPR impose strict requirements for processing personal data of individuals, give individuals extensive rights with respect to their personal data, carry penalties and potential corrective action for violations, and provide for private litigation. The United States, Europe, the United Kingdom, and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. We are subject to the U.S. Department of Justice's rule restricting certain transfers of sensitive personal data to designated countries of concern, which may increase compliance obligations and expose us to civil and criminal fines and penalties. The EEA and the United Kingdom have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws they believe are inadequate. Other jurisdictions have in the past and may continue to adopt similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and United Kingdom to the United States in compliance with law, such as the EEA's and UK's standard contractual clauses, certain of these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the United Kingdom, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, injunctions against our processing or transferring personal data necessary to operate our business, the inability to transfer data and work with partners, vendors and other third parties, and our ability to expand our business to the EEA, United Kingdom, or other countries with similar cross-border data transfer restrictions may be limited. Additionally, companies that transfer personal data out of the EEA and United Kingdom to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Other data protection laws in the EEA and the United Kingdom, such as those implementing the ePrivacy Directive, restrict the use of cookies and similar technologies on which our website, mobile app, and Instacart Ads offerings rely, including to facilitate online behavioral advertising. Regulators are increasingly focused on compliance with requirements in the online behavioral advertising ecosystem, and current national laws implementing the ePrivacy Directive are likely to be replaced in the European Union by a regulation known as the ePrivacy Regulation, which will significantly increase fines for non-compliance. Other countries outside of Europe increasingly emulate European data protection laws. As a result, operating our business or providing our offerings in Europe or other countries with similar data protection laws would subject us to substantial compliance costs and potential liability and may require changes to the ways we collect and use personal information. Governments and regulators in certain jurisdictions, including Europe, are increasingly seeking to regulate the use, transfer, and other processing of non-personal information (for example, under the European Union's Data Act). This means that, if and to the extent such regulations are relevant to our operations or those of our customers, certain of the risks and considerations outlined above may apply equally to our processing of both personal and non-personal data. We also publish privacy policies and other statements regarding data privacy, AI, and security. Regulators in the United States have scrutinized and are increasingly scrutinizing these statements, and if these policies or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. In addition, major technology platforms on which we rely, privacy advocates, and industry groups have regularly proposed, and may propose in the future, platform requirements or self-regulatory standards by which we are legally or contractually bound. If we fail to comply with these contractual obligations or standards, we may lose access to technology platforms on which we rely and face substantial regulatory enforcement, liability, and fines. For example, Apple requires mobile applications using its operating system, iOS, to affirmatively obtain an end user's permission for cross-contextual advertising. Such restrictions could limit the efficacy of our marketing activities and our Instacart Ads offerings. In addition, certain legislative proposals and draft regulations seek to further regulate targeted advertising activities, and regulators are increasingly scrutinizing the use of online tracking tools and compliance with requirements related to the online behavioral advertising ecosystem. As a result, we may be required to develop alternative solutions to support our marketing initiatives and/or change the way we deliver our Instacart Ads offerings. In addition, consumer resistance to the collection and sharing of the data used to deliver targeted advertising, increased visibility of consent or requirements to respond to privacy preference mechanisms as a result of regulatory or legal developments, the adoption by consumers of browser settings or "ad-blocking" software, and the development and deployment of new technologies could materially impact our ability to collect and use data or reduce our ability to deliver relevant promotions or media, which could materially impair the results of our operations. Apple and other technology platforms are considering similar and additional restrictions and obligations, including age verification and parental consent requirements, which may result in new platform-level policies or technical mandates that apply to all developers whose applications are distributed through those stores, which may increase our compliance burden and operational complexity. Despite our efforts, we may not be successful in achieving compliance with the laws, regulations, and requirements discussed above. Any actual or perceived non-compliance, by us or the third parties upon whom we rely, could result in litigation and proceedings against us by governmental entities, customers, or others (including class action claims or mass arbitration demands), expenditure of time and resources to defend any claim or inquiry, fines and civil or criminal penalties, limited ability or inability to operate our business, offer services, or market our offerings in certain jurisdictions, negative publicity and harm to our brand and reputation, reduced overall demand for our offerings, or substantial changes to our business model or operations. Such occurrences could adversely affect our business, financial condition, and results of operations.

We face potential liability, expenses for legal claims or appeasement credits or refunds, and harm to our reputation and business relating to the nature of on-demand delivery of food and other consumer goods, including potential claims related to food offerings, delivery, and quality. For example, third parties have asserted, and in the future could assert, legal claims against us in connection with personal injuries related to food poisoning, tampering, or accidents caused by our retail partners or shoppers while making a delivery to customers, defective products, or the sale, advertising, marketing, or consumption of alcoholic beverages, tobacco, or other regulated products by our retail partners to underage customers. In addition, we have in the past and may in the future also be subject to direct or indirect claims as a result of our relationships with, and services provided to, retailers, such as claims involving retailers' pricing on Instacart, infringement of intellectual property, California Proposition 65, product liability, and the Americans with Disabilities Act, among others. Our new or planned future offering enhancements may also subject us to new or unforeseen risks relating to on-demand food and consumer goods delivery. For example, we have added health attribute information, such as identifying products on Instacart as gluten- or dairy-free, and need to rely on third parties for the accuracy of such information. Erroneous reporting or omission, whether or not in our control, may result in claims against us alleging personal injuries, false advertising, and related legal claims, as well as harm to our brand and reputation. Reports, whether true or not, of food-borne illnesses (such as caused by E. Coli, Norovirus, Hepatitis A, Campylobacter, Listeria, or Salmonella) and injuries caused by food tampering have severely injured the reputations of participants in the food business and could do so in the future as well. Further, if any such report were to affect one or more of the retailers or shoppers on Instacart, it could reduce customer confidence in and use of our offerings. The potential for acts of terrorism on food supply also exists, and if such an event occurs, it could harm our business and results of operations.

The tax laws to which we are subject or under which we operate are unsettled and may be subject to significant change. The issuance of additional guidance related to existing or future tax laws, or changes to tax laws or regulations proposed or implemented by the current or a future U.S. presidential administration, Congress, or taxing authorities in other jurisdictions, including jurisdictions outside of the United States, could materially affect our tax obligations and effective tax rate. Such changes have had and, along with any related uncertainty generated by these changes, may in the future have adverse impacts on our business, financial condition, results of operations, and cash flows. The amount of taxes we pay in different jurisdictions depends on the application of the tax laws of various jurisdictions, including the United States, to our international business activities, tax rates, new or revised tax laws, or interpretations of tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. Similarly, a taxing authority could assert that we are subject to tax in a jurisdiction where we believe we have not established a taxable connection, often referred to as a "permanent establishment" under international tax treaties, and such an assertion, if successful, could increase our expected tax liability in one or more jurisdictions. In addition, the Organisation for Economic Cooperation and Development has published proposals covering a number of issues, including minimum tax rules, country-by-country reporting, permanent establishment guidance, transfer pricing rules, tax treaties, and taxation of the digital economy. Several foreign jurisdictions, including some of those in which we operate, have formally adopted these proposals in their tax code, which could adversely affect our effective tax rate or result in higher cash tax liabilities in such jurisdictions.

Operating our business and platform involves the collection, use, storage, transmission, and other processing of sensitive, proprietary, and confidential information, including personal information of customers, shoppers, and personnel, our proprietary and confidential information, and the confidential information of partners including retailers and brands. Security incidents compromising the confidentiality, integrity, or availability of this information or our IT systems or data (or those of third parties upon which we rely or otherwise engage with), or disrupting our ability (or that of third parties with whom we work) to provide our offerings, products, and/or services, could materially impact our business and results of operations. We face evolving cybersecurity threats and threat actors including but not limited to state-sponsored and advanced persistent threat actors, malicious code and malware (such as viruses, worms and ransomware), social engineering (including deep fakes, which may be increasingly difficult to identify as fake, phishing, and vishing), denial-of-service attacks, credential harvesting, credential stuffing, supply-chain attacks, server malfunctions, software or hardware failures, security bugs, vulnerabilities or misconfigurations in the software or systems on which we rely, loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, floods, and other similar threats. In addition, malfeasance, error, theft, or misuse by our own personnel or the personnel of our strategic partners, our collaborators, or the third-party service providers with which we engage, of our intellectual property, financial data, or employee, retailer, customer, brand, or shopper data, could adversely affect our business and results of operations, particularly if such information is provided to or accessed by a competitor. We rely on a number of third parties to operate our critical business systems and to process confidential and personal information, such as the payment processors that process customer credit card payments, cloud service providers, and employee and customer service centers, including those located in other countries. Our ability to require, monitor, and enforce these third parties' information security practices is limited. Because third parties provide operational support to our business and process confidential and personal information on our behalf, we could experience materially adverse consequences as a result of cyberattacks or incidents experienced by those third parties. Third party and supply chain attacks have increased in frequency and severity and we cannot guarantee that the security of our service providers or any of their partners has not been materially compromised. We also cannot be certain that our contracts with these third parties will allow us to obtain indemnification or recovery from them for data security-related liability that they cause us to incur. Threat actors, nation-states, and nation-state-supported actors now engage, and are expected to continue to engage, in cyber-attacks, including for geopolitical reasons and in connection with military conflicts and operations. Due to the current geopolitical environment, we and the third parties upon which we rely are at heightened risk of these attacks, including cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to maintain, sell, and distribute our offerings and services. In particular, severe ransomware and extortion attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of sensitive data and income, reputational harm, and diversion of funds. In addition, remote work poses risks to our information technology systems and data, as our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit, and in public locations. For example, technologies in our employees' and service providers' homes are often not as robust as in our offices and could cause the networks, information systems, applications, and other tools available to employees and service providers to be more limited or less reliable than in our offices. Further, the security systems in place at our employees' and service providers' homes, or other remote work locations, may be less secure than those used in our offices. There is no guarantee that the privacy, data security, and data protection safeguards we or our service providers have put in place will be comprehensive, or completely implemented, complied with, or effective. Additionally, future and past business transactions with other parties (such as acquisitions, strategic partnerships, collaborations, or integrations) have exposed us to additional cybersecurity risks and vulnerabilities associated with those parties, such as security issues that were not identified during due diligence, and difficulty or incomplete integration of their systems into our information technology environment and security program. We and our third-party providers regularly experience cyberattacks and other security incidents, and we expect such attacks and incidents to continue. For example, we regularly experience credential stuffing attacks in which malicious third parties use credentials compromised in data breaches suffered by other companies or otherwise improperly obtain credentials to access shopper or customer accounts on Instacart, as well as sophisticated social engineering attacks, which, if successful, could lead to the installation of malware on our network and unauthorized access to and acquisition of information. It is increasingly difficult and costly to detect, investigate, mitigate, contain, and remediate a security incident. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business, which presents additional opportunities for threat actors to gain access to other networks and systems. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems. For example, threat actors may use an initial compromise of one part of our environment to gain access to other parts of our environment, or leverage a compromise of our networks or systems to gain access to the networks or systems of third parties with whom we work, such as through phishing or supply chain attacks. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We are unable to comprehensively apply patches or confirm that measures are in place to mitigate all such vulnerabilities, or that patches will be applied before vulnerabilities are exploited, resulting in a security incident. While we have implemented security measures designed to protect against security incidents, we and our third party providers cannot anticipate, or implement adequate preventative measures to address all cybercrime and hacking techniques (including the use of AI) used by threat actors, including those that are designed to circumvent controls, avoid detection, and remove or obfuscate forensic artifacts. Any or all of the following could independently or in the aggregate cause a material adverse impact to our business, financial condition, and results of operations: loss of customer confidence in the security of Instacart and damage to our brand, reduced demand for our offerings, serious disruption of normal business operations, material diversion of resources to investigate and remediate incidents, exposure to legal liability, including through litigation (such as class actions), regulatory enforcement, and indemnity obligations. Further, applicable privacy, data security, and data protection obligations require us to notify relevant stakeholders of certain security incidents, including affected individuals, customers, regulators, and investors, or to take other actions, such as providing credit monitoring and identity theft protection services. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences, including potential statutory damages. We have expended and may in the future expend significant resources or modify our business activities to try to protect against security incidents. Certain data privacy and security obligations have required us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive information. These risks are expected to increase as we continue to grow and process, store, and transmit increasingly large amounts of data, including across different jurisdictions. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our privacy, data security, and data protection obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy, data security, and data protection practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims.